match_hostname function from system ssl module should be used

Bug #1538480 reported by Vincent Ladeuil on 2016-01-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bazaar
High
Vincent Ladeuil

Bug Description

From the mailing list:

bzr's contains a copy of match_hostname implementation from Python 3
which wildcard matching rules do not follow RFC 6125, in consequence it
can be
used for DoS attack [0] . Since Python v2.7.9 is ssl.match_hostname
fully merged
into the standard library and should be used instead of implementation
inside

bzrlib/transport/http/_urllib2_wrappers.py

Possible patch is available here [2]. May tests for matching hostname
could be removed
completely, when ssl library is used.

Related branches

Vincent Ladeuil (vila) on 2016-01-31
Changed in bzr:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers